Rebol.org plugin question
[1/8] from: jasonic::nomadics::org at: 1-Sep-2004 12:04
What would it take to add a "run this script in browser" link/button on Rebol.org ? I am thinking probbaly quite a number of scripts can run be directly online, expecially view/vid work. Perhaps people submitting scripts could even add a 'rebplug' flag in their header blocks to make it easy to maintain the site run plugin autolinks ? - Jason
[2/8] from: SunandaDH:aol at: 1-Sep-2004 13:09
> What would it take to add a "run this script in browser" link/button on > Rebol.org ?
Good question....It would take three things: 1. As you suggest, scripts in question would need to be flagged in their Library header as type: [... plugin ...] so we'd know that they *could* be executed in a browser. That's explained here: http://www.rebol.org/cgi-bin/cgiwrap/rebol/boiler.r?display=terms.html and here: http://www.rebol.org/cgi-bin/cgiwrap/rebol/one-click-submission-help.r?help=ty pe 2.The view-script and search CGIs at REBOL.org would need to spot the type of plugin and offer a "run as plugin" link in addition to the view and download options they offer now. That's technically fairly simple, but has not been done -- just a matter of getting the object tag right as explained in: http://www.rebol.net/plugin/tests/plugin-guide.html#section-4.1 3. The Library team would need to be persuaded that (2) is a safe and worthwhile thing to do: -- safety -- I've not looked into the issues. I'm appreciate some responses here from anyone who has. -- worthwhile -- seems little point in doing (2) while no one has yet contributed a script that is flagged as a plugin (or updated their earlier scripts to say that they are pluginable).....Of course, I appreciate that that is partially a chicken and roundabouts situation: why should anyone do (1) when we haven't done (2)? I guess the way to break that impasse is for people to contribute plugin scripts, and then the Library team has to play catch-up. Sunanda.
[3/8] from: tomc::darkwing::uoregon::edu at: 1-Sep-2004 10:11
there is the whole only works on XP with IE or latest firefox with ActivX plugin that would have to be spelled out On Wed, 1 Sep 2004, Jason Cunliffe wrote:
[4/8] from: jasonic::nomadics::org at: 1-Sep-2004 16:02
Sunanda Thanks for your comments.. -- Security -- My understanding was that the Rebol plug-in already sandboxes Rebol scripts in the browser from doing damage, just as flash does - i.e. locks one out of the file system. Please can anyone clarify this? -- Catch-22:Chicken-Egg -- Yes I appreciate your 'If they come, we will play' approach. I'll bet though that there are many small View scripts already on Rebol.org which would run as is. must be all kinds of small demos and technique how-to examples. I suppose a script could parse though looking for 'show view layout' etc and try to run them in the browser. A fast hack to explore scope of the existing possibilities and hope to encourage future ones. -- Platform -- Re: Tom's comment about needing XP: IE and Firefox installation caveats.. Yes true. But that should not be an obstacle. XP and IE are incredibly popular, like them or not. Firefox improves thinking people's attitude/experience of XP. More exposure for rebol is a good thing (tm) RT and community spent a lot of precious effort [at the expense partly of new View] to get Plug-in released. Therefore build upon that investment by making it as easy as possible to use. Does anyone have stats on browser platform access to Rebol.org for example? How many people are in fact using XP : IE Firefox ? I see transparent access to rebol plug-in at rebol.org working like a nice intro to Easy-Vid. You know --> Display code snippets --> click text to run/view --> Smile and go wow/aha :-) -- Evangels-- My background argument as always is that Rebol needs better web exposure. Rebol.org has increased the Google/Division visibility significantly. There is a new generation of potential Rebolers who could be about to discover Rebol. Flash Actionscript programming while much more powerful, has also gotten considerably more complicated and expensive for newbie's. Rebol in the browser is a great mini-laboratory for kids to learn and play with. Jason
[5/8] from: hallvard::ystad::oops-as::no at: 2-Sep-2004 0:46
Hi I want to reply to this, although I've only read the messages in the thread on rebol.org, since I still do not receive any list emails. This really is only bragging about my own little hobby project, so ignore if you wish. The rix already offers the possibility tu use any rebol script found on the internet as a plugin script. There are of course a few gotchas, like for instance the fact that rix will plug in anything that has a valid rebol header. /Core scripts tend to be a bad experience as a plugin script. But if rebol.org should ever want to implement such a feature, I'll be happy to share my rebol- and html-code. Se this URL for an example: http://www.oops-as.no/rix?plugin=yes&url=http://www.oops-as.no/roy/rebol-scripts/prob.r (this, by the way, crashes my firefox0.9.3 repeatedly! Try with IE) Rix will look for "msie" in your user-agent string and only offer to plug in scripts for IE. I'll change this to accept also Firefox. Soon. HY
[6/8] from: SunandaDH::aol::com at: 2-Sep-2004 4:47
> there is the whole only works on XP with IE or latest firefox with > ActivX plugin that would have to be spelled out
Good point, thanks. If/when we provide a "run this script" link it'd have to go to a page that explains that nothing may happen, and what to do if it does. Jason:
> My understanding was that the Rebol plug-in already sandboxes Rebol scripts > in the browser from doing damage, just as flash does - > i.e. locks one out of the file system.
That's exactly the sort of question I'd like the answer to too. Is the sandbox completely overriden when someone clicks "yes to all" to the security message -- as it is in unplugged REBOL?
> I suppose a script could parse though looking for 'show view layout' > etc and try to run them in the browser. > A fast hack to explore scope of the existing possibilities and hope to > encourage future ones.
Another possibility for a fast track is to enable plugin execution only for named Library members. That way you and a few other brave REBOL skirmishers could explore the issues while only risking your own machines. If anyone wants to be part of a plugin beta team at REBOL.org, please let me know your REBOL.org user-name.
> Does anyone have stats on browser platform access to Rebol.org > for example? > How many people are in fact using XP : IE Firefox ?
I got stats by the bucketload. But turning them into facts is not so easy. Browsers spoof their identifies and there is no 100% way of knowing what they really are. Having said that, here's some stats for the whole of the month just gone, August. We executed 129,081 CGIs. Plus we served an unknown (because I haven't looked it up) number of static pages (not that many: not much of the site is static). Of those 129,081 CGIs, there were 1566 different user-agent identification strings. From those we have to work out what the browsers might be. Here are some actual UA id strings from August: Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD) Mozilla/5.0 (Windows NT 5.1; U) Opera 7.53 [en] Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/20040628 Firefox/0.9.1 Mozilla/5.0 (Macintosh; U; PPC; en-US; rv:1.2.1) Gecko/20021130 Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6) Gecko/20040414 Epiphany/1.2.6 Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.4) Gecko/20030630 Galeon/1.3.8 Note that the major identity in all the examples is "Mozilla/5.0" while the various sub-strings suggest a range of platforms and browsers. 474 12819 9.9% gecko This means 474 different browsers identified themselves as "gecko" (i.e. had gecko somewhere in their UA id string. We executed 12,819 CGIs for them. That's 9.9& of our total CGIs. Similarly: 777 26002 20.1% msie 163 6715 5.2% firefox 213 2492 1.9% linux 66 2760 2.1% mac os 18 1063 0.8% rebol (mainly automated services for downloading packages and scripts) 13 47 0.0% amiga (Note there is some double counting: "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.4) Gecko/20030630 Galeon/1.3.8" is both "linux" and "gecko" It is also not easy to turn these figures into counts of *human* visitors. Approximately half the total visits are from bots, so that "9.9% Gecko" is probably closer to "20% human visitors using Gecko" . One conclusion you can draw is that REBOL.org attracts an above-average number of non-IE users. That's probably not a surprise. If anyone wants the August UA list to do their own stats, please let me know -- it's a 12K file. Hallvard:
> But if rebol.org should ever want to implement such a feature, > I'll be happy to share my rebol- and html-code.
Thanks we might take you up on that.......It's also another fast track way for anyone who wants to start experimenting with running random scripts as plugins. Sunanda
[7/8] from: rebol-list2::seznam::cz at: 16-Sep-2004 0:44
Hello Jason, Wednesday, September 1, 2004, 10:02:23 PM, you wrote: JC> Sunanda JC> Thanks for your comments.. JC> -- Security -- JC> My understanding was that the Rebol plug-in already sandboxes Rebol scripts JC> in the browser from doing damage, just as flash does - JC> i.e. locks one out of the file system. JC> Please can anyone clarify this? I think there are still some issues as you can work with ports without user permissions so for example someone can make a script which will attack other pages or spam anybody and user don't need to know that something is happening - if he's not using some firewall (which is necessary these days) But such a attacks can be done from flash as well (except spaming of course). Best regards, rebOldes -----------------[ http://oldes.multimedia.cz/ ]
[8/8] from: SunandaDH::aol::com at: 20-Sep-2004 11:07
> I think there are still some issues as you can work with ports without > user permissions so for example someone can make a script which will attack > other pages or spam anybody and user don't need to know that something > is happening -
Thanks for that.....That was my understanding too. Which is partially why we've been cautious in implementing the plugin at REBOL.org.....It would be too simple for someone to upload a malicious script which is then just a naive IE click away from doing some damage. I've just uploaded what should be the final stage of implementing the plugin **safely** at REBOL.org. Our "security model" is two-phase: 1. Any Library member can upload a script and mark it as "plugin". We will allow the owner to run it under the plugin but not others. 2. A member of the "plugin posse" checks the script for malicious intent. If they don't find anything, they will flag the script as okay for the plugin. There are currently three scripts that are plugin enable -- they should all appear on this list with a *Run* link enabled. http://www.rebol.org/cgi-bin/cgiwrap/rebol/search.r?special-filter=recent There would be many more, but we're still waiting for script owners to update their scripts to say that they are plugin-ready: http://www.rebol.org/cgi-bin/cgiwrap/rebol/ml-display-message.r?m=rmlHVHC If you'd like to be on the plugin posse, please let me know. Sunanda